On Mon, Aug 11, 2014 at 12:30 PM, Alexander Bokovoy <aboko...@redhat.com>

> On Mon, 11 Aug 2014, Michael Lasevich wrote:
>> So, it is NOT intended to use for border-style 2FA authentication (i.e.
>> VPN) - which seems may be a common use case for 2FA?
> You can always supplement authentication check with some host-specific
> information at the VPN concentrator. We don't have ready to use solution
> here but it is definitely possible to use such scheme against FreeIPA
> 2FA.
Sorry, I am not following.  What do you mean by "host-specific
information"? If system has no way to detect how many factors were involved
in authentication, how would I be able to guarantee that only 2FA is
allowed via this box?

I suppose this can work: I can write code that will:

1 - detects if there are OTP numbers at the end of the password
2 - authenticates using full 2FA
3 - authenticates using just password without 2FA

And then authenticate only if all 3 conditions are satisfied. Seems a bit
hacky, but that is the only way I can think that may work.

Alternative is to set up 2 users for each actual user, one for border and
one for internal auth. Force 2fa on border user.  Only allow border users
on border boxes.

Am I missing anything?


> --
> / Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to